[Pidgin] #14830: dbus information leakage
Pidgin
trac at pidgin.im
Sun Feb 26 15:13:29 EST 2012
#14830: dbus information leakage
-----------------------------+----------------------------------------------
Reporter: dfunc | Owner: rekkanoryo
Type: enhancement | Status: new
Milestone: Patches welcome | Component: libpurple
Version: 2.10.0 | Resolution:
Keywords: privacy |
-----------------------------+----------------------------------------------
Changes (by MarkDoliner):
* cc: security at pidgin.im (removed)
* cc: mark at kingant.net (added)
* type: defect => enhancement
* milestone: => Patches welcome
Comment:
This issue isn't buffer overflow/remote code execution, and it isn't a
crash/denial of service. I think it's even a bit of a stretch to call
this a bug in libpurple--personally I'd describe it as missing
functionality that is desired by a 3rd party plugin. And this issue by
itself isn't even a problem--it's only a problem if your system has
ALREADY been compromised. For these reasons I think a CVE number is a bit
over the top. It doesn't seem like distributions need to track this issue
outside of the normal Pidgin/libpurple release cycle. But I guess people
have different expectations of how secure OTR should be.
It seems reasonable for us to add functionality to libpurple such that a
plugin can specify that a message should not be broadcast over dbus. Then
someone would need to change the OTR plugin to use this flag. And whether
the flag is set should probably be configurable in OTR, since some users
will want their OTR messages to be broadcast over dbus (for example, if
they have a dbus app that watches for incoming IMs and shows a desktop
notification).
--
Ticket URL: <http://developer.pidgin.im/ticket/14830#comment:11>
Pidgin <http://pidgin.im>
Pidgin
More information about the security
mailing list